Which solution meets these requirements with the LEAST amount of operational overhead?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company has an organization in AWS Organizations that has a large number of AWS accounts.One of the AWS accounts is designated as a transit account and has a transit gateway that is shared with all of the other AWS accounts.AWS Site-to-Site VPN connections are configured between all of the company’s global offices and the transit account.The company has AWS Config enabled on all of its accounts.The company’s networking team needs to centrally manage a list of internal IP address ranges that belong to the global offices.Developers will reference this list to gain access to their applications securely.

Which solution meets these requirements with the LEAST amount of operational overhead?

Create a JSON file that is hosted in Amazon S3 and that lists all of the internal IP address ranges. Configure an Amazon Simple Notification Service (Amazon SNS) topic in each of the accounts that can be invoked when the JSON file is updated. Subscribe an AWS Lambda function to the SNS topic to update all relevant security group rules with the updated IP address ranges.

Create a new AWS Config managed rule that contains all of the internal IP address ranges. Use the rule to check the security groups in each of the accounts to ensure compliance with the list of IP address ranges. Configure the rule to automatically remediate any noncompliant security group that is detected.

In the transit account, create a VPC prefix list with all of the internal IP address ranges. Use AWS Resource Access Manager to share the prefix list with all of the other accounts. Use the shared prefix list to configure security group rules in the other accounts.

In the transit account, create a security group with all of the internal IP address ranges. Configure the security groups in the other accounts to reference the transit account’s security group by using a nested security group reference of “/sg-1a2b3c4d”.

Explanations:

While hosting a JSON file in S3 and using SNS to update security groups provides a way to manage IP address ranges, it introduces significant operational overhead. This solution requires constant monitoring of the S3 file and the management of Lambda functions for updates, making it less efficient.

Creating an AWS Config managed rule to check compliance and remediate noncompliance is a proactive approach but does not provide a central, dynamic way to manage IP address ranges. It would require continuous monitoring and action on noncompliance rather than simply referencing a central list.

Creating a VPC prefix list in the transit account and sharing it with other accounts using AWS Resource Access Manager is efficient. This solution allows for centralized management of IP address ranges, reduces operational overhead, and enables other accounts to easily reference the prefix list in their security group rules.

Creating a security group in the transit account with internal IP address ranges does not allow other accounts to dynamically manage or update those ranges. Additionally, AWS security groups cannot be referenced across accounts as described; instead, prefix lists are the correct mechanism for this purpose.

2025-10-05

1 Comment

  1. Denise
    Author

    I rate that the answer is:
    In the transit account, create a VPC prefix list with all of the internal IP address ranges. Use AWS Resource Access Manager to share the prefix list with all of the other accounts. Use the shared prefix list to configure security group rules in the other accounts.

Leave a Reply to Denise Cancel reply

Your email address will not be published. Required fields are marked *

2 × three =